The blog of Rahoul Baruah from 3hv Ltd

What's going on?

My name is Rahoul Baruah (aka Baz) and I'm a software developer in Leeds (England).

This is a log of things I've discovered while writing software in Ruby on Rails. In other words, geek stuff.

However, I've decided to put this blog on ice - I would ask you to check out my business blog here (or subscribe here).

30 January, 2006

SQL Server Stored Procedures and Rails

DHH says "it's not the Rails way" but I needed to access our application's stored procedures, so I wrote a module to do it.

This code is Copyright 2006 Rahoul Baruah - and is made available under the terms of the GNU Lesser General Public Licence.

Copy this code into a file named "sql_server.rb" and drop it into your models folder. Then, take one of your actual models, "include SQLServer" - and you have access to these functions that allow you to call SQL Server stored procedures.


ant said...

unless you do lots of validation on the paramaters, this method could be used to launch an injection attack against the database.
set one of the paramaters to be ';drop table ImportantTable'
the sql then executed is

exec @return_value = exec Myproc ; drop table ImportantTable

and the table ImportantTable is dropped

Baz said...

I've changed it to quote all parameter values - so now it relies on SQL Server to do the right thing (which is pretty doubtful).

Joe Williams said...

Hahahahahahahaha stupid priests

Anonymous said...

if youre doing dynamic sql by parameters you deserve any stupid njections you get

Baz said...

yes, there's an M in MVC you know

Joshua Brule said...

Thanks alot. Great help

eXTReMe Tracker